The above part.
I'm not afraid of it. And "no proofs" is not true. Please read a usenet archive of your choice of this group, so you will find my proof-of-concept code.
I cannot see one single thing Zone Alarm really helps for being secure against an attack vector. But I see some attack vectors which are added by driving Zone Alarm.
For more information, please read the discussion here.
Yours, VB.
I do not know why your results seem to vary from all other real world testings, are you behind some corporate firewall or something like that? Please stop telling people to turn off their firewalls, you seem to be about the only person in the world with this viewpoint. Your advice can make people more vulnerable than they were before - again
- please stop, there are enough 'pwned' boxes out there already.
I don't think so.
It depends.
I'm not doing so. I'm telling people not to offer services if they don't want to, and I'm telling people to use a simple host based packet filter if required, and not a "Personal Firewall". I'm not the only one talking like this. At the CCC ERFA Ulm / Chaostreff Bad Waldsee, we had a test of common "Personal Firewalls". All tested programs didn't offer extra security above just disabling services or using a simple host based packet filter like the Windows-Firewall, but most of them (with the exception of Kerio) are adding additional attack vectors, and we proofed that. Kerio was the only one, which only added additional risk in theory because of the extra code, and no concrete additional attack vectors we found.
I don't think so. As a matter of fact, not only this is the common view in de.comp.security.*, the German sister groups of these groups here, it is a view which is shared i.e. by Heise Verlag, the leading publishers for the European computer market.
The opposite is true.
If you're interested, then I will show you the most important additional attack vectors, the common "Personal Firewalls" are adding. Because I did here already, this would be an reply. You can use a searching engine of your choice to find older postings here, where you can read yourself.
Yours, VB.
Oh, excuse me, I missed the word 'personal'.
Fine and dandy - IF they knew how in the first place, they wouldn't be asking questions here.
That is fine if people know what a packet filter is, but the majority of people don't, so all you are doing is adding to the confusion.
Isn't that what you are trying to tell people to do on their own? The problem is that most people do not know how!
Then why don't you just advise people to use Kerio?
We went over this earlier, Leythos posted about the results of REAL WORLD testing - where personal firewalls protected home computers and WindowsXP firewall did not. Why is this so hard for you to understand?
If they are all so open to attack, then they wouldn't be making money, and, we would all be hearing about it from multiple sources. There would be white papers galore.
I did read your long post. I still say that most of it is not applicable to the majority of 'normal' home computer users in the real world. Some of it was simply 'nit-picking' - i.e. 'feel good' stuff. I think that perhaps you are one of these brainy types that has their 'heads in the clouds' a bit. You are worried about things that are much too esoteric for the normal user. Your advice may indeed be correct for people that have the knowledge about these things, but then they wouldn't be bothering to ask, they would already know. Those people that are asking about these things here are _usually_ much less knowledgeable, and your 'holier than thou' attitude does them no good whatsoever. They come here to have their hands held and be spoon fed a little, you seem to want to shove a funnel down their throats and force-feed them unwanted and un-needed information. All this does is to confuse the poor users more!
One last time, in real world testing personal firewalls protected computers better than either no firewall or WindowsXP firewall. You can not get much more 'bottom line' than that.
Point taken, but this is exactly why he's telling so.
Stupid. A "personal firewall" is nothing more but a packet filter with some nonsense build around it. And running a packet filter without in-depth knowledge about networking does not add any security.
But they have to. Or they should pay someone who does the job for them.
Hm... it's still worse than no PFW at all?
Because he didn't take into account where system were vulnerable with personal "firewalls" whereas Windows XP "firewall" was not? Because he didn't take into account system infected because a personal firewall created an illusion of security?
Oh, you really don't know that infamous OS from a software vendor in Redmond, USA?
F.e. securityfocus.com
There are. Hell, even Kerio is documented to be shit by the vendor itself!
That's what personal "firewalls" are about.
Which is exactly what PFWs do. Your point being?
Obviously not. Two points:
But you can. :-)
That is called 'buying' a personal firewall. Not everyone can afford a personal computer security expert to sit and watch over their machine, so they purchase (pay someone for) a personal firewall. I am not saying these are 100% bullet proof, which is what you and VB seem to 'require', but they are better than nothing.
Taking a quote from VB himself - this is just untrue.
He posted about real world testing, not some esoteric Proof of Concept bull crapola, and in this REAL WORLD testing, pc's without pfw's were infected within a week, those with a pfw were not infected even after 6 months. Why is this so hard for you and VB to understand? Just what is your agenda anyway?
Ok, you sure 'got' me there, however, these attack 'vectors' that VB is talking about, are these even seen normally? Or are they just 'possibilities'? We (at least I) are trying to talk about normal home computer usage, not some lab experiment.
Yes, and your point is?
That he (and you?) talk over most peoples heads. Putting forth information that is not applicable to the questions asked - except perhaps in your own minds.
What the hell does this have to do with the discussion underway here? You are obfuscating again! While possibly true, this has absolutely nothing to do with what we/I am trying to talk about here.
The two are not related in any way whatsoever, again, what the hell does this have to do with the current discussion? What, are you and VB governmental employees? With all the smoke and mirrors and FUD talk coming from you both it makes me wonder indeed. Anybody can do just about anything they want with statistics, shall we say that the stock market is going up or down because of the length of women's skirts? Makes just as much sense as your point number 2.
No, I can not, but then I at least _try_ to apply logic to these things.
A "personal firewall" is not intelligent, it's a piece of software. Unlike AI makes bit improvements in about 200 years, it won't be able to replace thinking.
Then they should not use the computer on the interwab.
They're even worse than nothing.
According to what VB said a PFW usually doesn't improve the time until first infection by any serious means. But Kerio itself has fully documented problems.
I'm telling exactly about real world samples from a lot of customers.
In my real-world testing, PCs both with and without PFWs were infected, with the latter showing significantly more lack of knowledge at the user level.
network based: Witty worm, the NIS http parser overflow, ZA did let pass the Sasser worm application-side: almost any recent eMail worm is capable of killing about any PFW process (besides the vendors claiming this to be impossible...)
The actual security doesn't care about how good the PFW makes you feel.
And the same applies to the messages of the PFWs. Except that their information is pretty unreliable and unusable in about any context. ;-)
The point is that users are obviously too stupid for even choosing a security measure. How should they ever achieve actual security?
Lack of pirates endures global warming !!!11 Correlation doesn't prove direct causility. Lack of correlation however is a strict indication for non-causility. There is no indication that PFWs do help in any way.
ROFL!
Notan
Damn, what an elitist attitude, are you also in favor of neutering people if their IQ is below a certain point? Or just euthanize 'em and be done? This is the kind of attitude that I am talking about, you do not seem to want to actually help people, just tell them how wrong they are, there is a name/word for your kind of usenet poster, and that word is indeed troll.
In _your_ mind. Take off that aluminum foil hat for awhile and let the sun shine through.
And this means that it is scripture? Does he get a tithe from you too?
Simply false.
Again with the attitude. Why don't you and VB just move to some remote island somewhere and you can set up your own net, without all the other 'stupid' people in the world. You certainly are not helping. If all you can do is naysay, then the correct response to you would be stfu!
And, once again, in your own mind this may be the 'truth', but for the rest of us 'stupid' people, that don't have the inclination, knowledge, or time, to write our own operating systems, PFWs can and do help block unrequested incoming packets. Now, I have spent far too much time 'debating' this with you two. Further postings in this thread by either you VB will get the 'correct' response I mentioned above, and nothing else. HAND
Just take a look at the web to see what happens if you deny that responsibility on a broad mass. And I guess we should do the same with cars (no more need for a driver license!) and about anything else. Eventually the problem will solve itself.
No, it's a matter of responsiblity. If I have to get my car repaired, I either take it to someone who knows about it or try it on my own if and only if I have the necessary knowledge. Anything else would be stupid.
We are doing that about every service in real life. Why do have people problems with accepting the same for computers?
Because everything seems to run fine? Well, only as long they're not facing their consequences too harshly. That's what we actually need.
This is not a matter of attitude, this is a real-world fact that I guess you're also aware of. Security doesn't work without a concept.
So what? That's not the big problem (especially not since XP SP2), that's not the biggest functionality of PFWs and that's not what matters to most people. Most people do care for Application Control, blocking both malware and their cracked software from 'phoning home'. Yay, install a PFW and you can runs cracks, cheating tools and alikes you downloaded from eMule and BitTorrent with no care. You can even surf the web with IE, mail with OE and IM with MSN, ICQ or AIM !!!11 And that's why their computers are still getting infected. With or without PFWs.
Except that some PFWs already eased remote compromise.
Huh?
Your quote clearly stated that no one, without *expert* advice or training, should even be on the Internet ("intrawab?").
Personally, I find that very funny.
Rather than ridiculing people for what they don't know, how about *teaching* them what they should know.
For someone who often says that others "just don't get it," you just don't get it.
Notan
I'm also offering a tool for Windows 2000 to do so:
I'm talking i.e. about the Windows-Firewall, which implements a simple packet filter.
I could do so. As a matter of fact, also Kerio does not improve security above the level of Windows-Firewall, so why not using Windows-Firewall? There is no theoretical risk of having extra code on the PC, which additionally could have exploits.
Leythos just is a k00k. I'm not reading any more, what he's writing. He refused to proof anything he was claiming all the time, so I'm not interested any more what he has to say. I doubt, that he is in a position he is claiming all the time.
Please offer _one_ _single_ _example_, where a "Personal Firewall" offers more security than using the Windows-Firewall. I already offered many examples, where a "Personal Firewall" decreases security compared to the Windows-Firewall.
This is a common error. It is just like with religion: they're making money, because people believe in what they're offering.
You can read this in the net. And, even better: you can proof yourself. For example, Sygate and Outpost are installing system services, which open Windows. This is a security breach. You can read it here:
| Security Considerations for Interactive Services | | Services running in an elevated security context, such as the | LocalSystem account, should not create a window on the interactive | desktop, because any other application that is running on the | interactive desktop can interact with this window. This exposes the | service to any application that a logged-on user executes. Also, | services that are running as LocalSystem should not access the | interactive desktop by calling the OpenWindowStation or GetThreadDesktop | function.
Just have a look onto Sygate or Outpost, and you'll see, that I'm right here. Sygate and Outpost (for example) are ignoring such security design considerations and are both making your PC insecure in this way.
Opening windows from system services leads to attack vectors for privilege elevation attacks.
Please give an example, what you're meaning here.
Please offer some proof or at least arguments for this claim, because I think, the opposite is true (if compared to a PC not offering services or to the Windows-Firewall).
Yours, VB.
This is a misunderstanding. Sebastian thinks, users should mandate someone with clue. This is not my intention for home users.
I think, Microsoft has to offer operating systems, which don't have such security problems.
And: people should use the Windows-Firewall until this happens, not using Internet Explorer or Outlook or Outlook Express, being careful what to download from where, and considering a virus scanner, which can help to filter out already known viruses, like a spam filter can filter out already known spam.
This is just not true, if the PCs are secured in other ways, say: with the Windows-Firewall.
Because it's not true.
Yes, there were pratical attacks via these vectors already.
Even if they would be just possibilities (which they're not), then a "Personal Firewall" would lose against the Windows-Firewall - why having no extra security at all, but extra insecurity by installing a "security" software?
When I'm calling people to use
I don't know, if Sebastian is. I'm not.
Please offer an argument, where I'm doing in FUD. This accusement is ridiculous.
I'm not talking about statistics. I'm talking about concrete security problems, "Personal Firewalls" are bringing to your desktop PC, and I'm proofing with own source code, that the additional features they have are not useful at all. Even
Unfortunately, Sebastian refuses to pay money to me until now ;-)
You're claiming that it does - please offer a proof. Please offer a proof compared with the Windows-Firewall.
Would you please recognize, that this is not my opinion, what Sebastian is writing? When I want to express my opinions, be sure that I will write a posting myself.
Yours, VB.
Maybe "expert" is the wrong word, but generally yes.
A computer user should be able to differ between hardware and software functions, should be able to predict the consequences of his input and should have generic knowledge about certain C2 security mechanisms (privilege separation, ACLs, user vs. system data).
I don't think that this is hard to understand. But I think that the general computer user is not just a bit, but far below the required level of understanding.
It's more like ridiculing people for being unwilling to learn necessary thing. It's OK if they don't want to do so, but then they should pay someone who does the job.
Isn't the idea of a firewall to not only keep the bad out, but also to keep the good in?
If I'm not mistaken, the Windows firewall only performs the former, while third-party software also adds the latter. Is this *not* an improvement?
While I realize that software firewalls aren't the end-all, be-all for system security, do they not provide *some* type of warning system for the casual user?
Notan
I don't think so. The idea of a firewall is to control communication between security zones.
Please use a usenet archive of your choice. "Controlling outbound" does not work at all.
I doubt that. They're offering warning popups. But I really doubt, that this is a sensible warning system for a home user or another casual user.
Yours, VB.
I'd say the *vast* majority of users are *not* computer savvy. Most of them want to sit down, surf the Web, converse via e-mail, import and export business and/or personal documents, etc. In addition, those same people, typically, don't want to spend a lot of money on a system.
Granted, those people are easily lulled into a false sense of security by the software firewall manufacturers (among others), but that's reality.
All you can do it *offer* additional information to those people. Force feeding, or insulting them, isn't going to improve things.
Notan
Or get a clue on their own. Or something in between.
A second big concern is that Microsoft should not offer operatin systems with important secuirty mechanisms disabled by default. Unfortunately Windows Vista won't be so much better.
"But this Crack is from CORE (a famous cracker team) as you can see by this logo, and for sure they wouldn't not risk their fame by spreading malware"
And rightout the Photoshop crack installer extracted and executed 22 executeables to the system directory, started some downloads and installed even more crap, csrss.exe crashing rightout, without even doing anything to Photoshop
"Oh, but the Personal Firewall will protect my"
"Oops, it's disabled. Damn, it doesn't start up. No, I don't want to reinstall yet again. Please fix it for me!"
;-(
And this is why PFWs don't have any effect in mass.
The big point is that common malware has been utilizing the concepts your PoC shows since ever and the PoC is just a harsh point-out on known existent problems.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.